Re: Protecting database from administrators

From: Mike B. (anonymous_at_discussions.microsoft.com)
Date: 03/29/04

  • Next message: Sabri AKIN: "RDC user info" 
    Date: Mon, 29 Mar 2004 05:51:53 -0800

    If you remove the Builtin\Administrators account all you
    need to do is add the NT Authority\System account as sys
    admin. This resolves any of the below issues.

    >-----Original Message-----
    >Hari
    >
    >This is surely a weakness of MS-SQL. Take two instances:
    >
    >1. Database architecture, design and implementation is a
    valuable asset.
    >Commercially, a developer, me included, would need to
    protect the asset.
    >This allows anyone to get access to and use/change the
    data dictionary.
    >
    >2. Databases with sensitive information - for example
    patient medical
    >information - will be exposed to anyone who cares to gain
    access. This is
    >very important where an application/database is for wide
    distribution.
    >Again, for example, clinical systems for general use by
    doctors but
    >maintained by non-clinical personnel
    >
    >Many other issues/situations can be described.....
    >
    >Encrypting data is not sufficient. In any event the added
    overhead of
    >encrypted data is a potentially unnecessary overhead.
    >
    >Are there any third-party tools that will allow the whole
    data dictionary
    >for a database to be locked up?
    >
    >Are there any plans by MS to resolve this issue?
    >
    >ZSL
    >
    >"Hari Prasad" <hari_prasad_k@hotmail.com> wrote in message
    >news:OVnh2hCFEHA.1128@TK2MSFTNGP11.phx.gbl...
    >> Hi,
    >>
    >> You can't restrict the OS administrators fully, because
    they have full
    >> rights on all folders and registry keys inwhich SQL
    server resides.
    >> But, you can restrict them to an extend by
    removing "System Admin" role
    >from
    >> BUILTIN/ADMINISTRATORS account.
    >>
    >>
    >> " I had problems in the below when I removed "Syadmin
    role" from
    >> BuildIN/Administrators. So I have given back the
    sysadmin role to solve
    >the
    >> issue.
    >> 1. FULL Text Indexing
    >>
    >> 2. Maintenance Plans
    >>
    >> So do a test in test server for couple of weeks and
    then implement in
    >> Production server.
    >>
    >> Known issues after removal ,
    >>
    >> Some things to be aware of:
    >>
    >> Q237604 PRB: SQL Server Agent Does Not Start and
    Displays Error 18456
    >> Q295034 FIX: MSSearch Takes 100% CPU if
    BUILTIN\Administrators Removed
    >> Q317746 PRB: SQL Server Full-Text Search Does Not
    Populate Catalogs "
    >>
    >> Thanks
    >> Hari
    >> MCDBA
    >>
    >>
    >>
    >>
    >>
    >>
    >> Thanks
    >> Hari
    >> MCDBA
    >>
    >> "Lucio" <anonymous@discussions.microsoft.com> wrote in
    message
    >> news:15BE41F9-B847-4BDC-9682-
    028EB0D82E77@microsoft.com...
    >> > I have to install a database on my customer's site,
    >> > how can i protect it from a system administrator into
    a site where i'm
    >not
    >> an administrator?
    >>
    >>
    >
    >
    >.
    >

  • Next message: Sabri AKIN: "RDC user info"

    Relevant Pages

    • Re: Restored Server but SharePoint refusing admin access
      ... > SID/BID or remove the user from the database and add it again. ... >, In SQL Configuration Manager go to SQL> Server ... > you had) you cannot access the database from that account. ... > newly added administrator account (for me, since I added a new admin ...
      (microsoft.public.windows.server.sbs)
    • Web Server - User Access and Priviledges.
      ... restriction policy that came out with the server 2003 ... Have a logon for your everyday use and one admin ... account that your or only a few people have access to. ... >Create a second Administrator account on each Web Server. ...
      (microsoft.public.win2000.security)
    • Re: Restored Server but SharePoint refusing admin access
      ... SID/BID or remove the user from the database and add it again. ... In SQL Configuration Manager go to SQL Server ... you had) you cannot access the database from that account. ... newly added administrator account (for me, since I added a new admin account ...
      (microsoft.public.windows.server.sbs)
    • At wits end with Portal Search errors
      ... Content for this URL is excluded by the server because a no-index ... account to access this URL. ... Added in a correct Proxy server and a fake one in Central admin ...
      (microsoft.public.sharepoint.portalserver)
    • Re: Help with a member server loosing the ability to validate users
      ... The user name and passoword aren't entered in the service logon, which is set to the local system account, but within the application. ... the passwords have never changed since they were created, furthermore if the server is rebooted then the they start up and continue to work for a few days with no problems. ... In fact I only see the error as the database package is closed down each night to allow the backup and then the restart fails. ... In all cases rebooting the machine, which is now a member server, resolves the issue ...
      (microsoft.public.windows.server.active_directory)